The Top 10 Biggest Data Breaches of 2015 (Part 2)

5: Excellus Blue Cross/Blue Shield

Breach Size: 10 million accounts

Breach Source: External Attack

In August of 2015, Excellus Blue Cross Blue Shield was undergoing a forensic review of its computer systems when it was discovered that the healthcare organization’s records system had been breached.As reported by USA Today in an article about the Excellus breach, “information for as many as 10 million of its clients nationwide may have been exposed in an attack dating back to 2013.”

According to reports, Excellus had initiated the forensic review following the rise in attacks against companies in the healthcare sectors. However, it would seem this review came a bit late, as the attack went undetected for over a year and a half.

Given such prolonged, unfettered access to sensitive information such as Social Security numbers, birthdates, member ID numbers, financial account data, and more for millions of people, it’s hard to estimate what the total impact of this breach will ultimately be.

Although an Excellus spokesman reported that the company “has found no evidence of data leaving its computers or being used inappropriately,” Excellus still offered two years of free identity theft protection services to customers who may have been affected.

4: Premera Blue Cross

Breach Size: 11 million records

Breach Source: Phishing attack/malware upload

Premera Blue Cross suffered a massive data breach that resulted in lawsuits being filed against the company.

According to information cited by legal news reporting site Law360, “a phishing email persuaded an employee to install a ‘software update’ that was malware and gave hackers access to the company’s databases” a few weeks after the Office of Personnel Management had told Premera to fix vulnerabilities in April of 2014.

The breach was initially detected on January 29, 2015—but wasn’t reported to the FBI until February 20. Stolen data included Social Security numbers, financial information, and medical claims information that could be used to steal consumer identities.

At the time of this writing, litigation is still ongoing across multiple districts.

3: T-Mobile/Experian

Breach Size: 15 million customer records

Breach Source: External hack of Experian’s T-Mobile customer server

In 2015, hackers managed to breach one of Experian’s servers—compromising the data of roughly 15 million T-Mobile USA postpaid plan applicants who applied for a plan between September 1, 2013 and September 16, 2015.

According to a Bloomberg Technology article released after the breach was announced, “the hackers stole names, addresses and Social Security numbers” from the credit bureau’s servers.

This data could allow for massive identity fraud, and authorities urged “T-Mobile customers and applicants to immediately place fraud alerts on their credit records or pay for security freezes” to combat fraud attempts.

This breach was another supermassive event spanning more than a full year of a government agency struggling to thwart sophisticated, persistent attackers. According to a government oversight panel report cited by Krebsonsecurity.com, “OPM first learned something was amiss on March 20, 2014, when the US-CERT notified the agency of data being exfiltrated from its network.”

In May, OPM thought they had thwarted the attack when they implemented a large-scale plan to kick one hacker out of their system. Unbeknownst to OPM and US-CERT, a second hacker dubbed “X2” had already established a separate foothold on OPM’s systems with a separate malware attack—a foothold the hacker would use to steal sensitive security clearance background investigation files.

During March of 2015, the attackers registered a new website domain for use “as a command-and-control network” for managing their malware and moving stolen data. By the time this secondary attack was detected, millions of records had already been compromised.

According to the Krebs article, the intrusion was “widely attributed to hackers working with the Chinese government” and “likely pointed out which federal employees working for the U.S. State Department were actually spies trained by the U.S. Central Intelligence Agency” since the CIA conducts background checks internally rather than through OPM.

This particular breach not only exposed millions of Americans to potential identity theft and fraud, it could be a major national security issue.

The tragedy here is that the attack was preventable. According to the government oversight panel report, “had the OPM implemented basic, required security controls and more expeditiously deployed cutting edge security tools when they first learned hackers were targeting such sensitive data, they could have significantly delayed, potentially prevented, or significantly mitigated the theft.”

1: Anthem Inc.

Breach Size: 78.8 million records and 8.8 million more in a separate event

Breach Source: Unverified external attack

The Anthem data breach isn’t just one of the biggest data breaches of 2015, it ranks among the biggest data breaches of all time—maybe not at the top, but high on the list.

Even more than a year after the data breach of Anthem’s systems, details about the hack remain scarce. According to a modernhealthcare.com article about the hack released in March 2016, “Anthem hired cybersecurity firm Mandiant in the aftermath of the hack. Vitor De Souza, a spokesman at FireEye, Mandiant’s parent company, said their work with Anthem is confidential under their contractual obligations.”

A potential vulnerability of healthcare organizations such as Anthem is that many of them have numerous incompatible legacy systems tied together because of mergers between two companies using different computer systems. This can create an uneven security profile with unpatched vulnerabilities that hackers can exploit.

Until more information about the Anthem hack is made publically available, a full dissection of the events leading up to the breach will have to wait.

What is known is that hackers were able to access Anthem systems storing the names, birth dates, SSNs, addresses, and other personally-identifying information of more than 78 million customers and employees both past and present.

What’s the Lesson We Can Learn from 2015’s Biggest Breaches?

From the smallest mom-and-pop operation, to the biggest Fortune 500 companies, cyber security is a constant concern. In fact, the more data your organization is entrusted with, the more important it is that you use every protective measure you can to keep that data safe.

Many of the breaches in this list could have been thwarted with security measures such as:

Basic Security Training for Employees. Every employee with access to your sensitive data should know how to recognize a phishing attempt, check an email link to see if it’s valid, and why they should never share their user account information with anyone.

Data Encryption. Encrypting sensitive data is a must for modern organizations. While encryption won’t stop an attack, it can prevent or at least delay thieves from being able to use stolen information.

Intrusion Detection/Prevention Systems. The time lag between the start of a breach and the initial detection of the breach is a hacker’s greatest advantage. The more time they have to work without interference, the more damage hackers can do and the more data they can steal. Intrusion detection and prevention systems empower faster detection and response to a hack attempt in progress.

Multi-Factor Authentication. A username and password alone just isn’t enough to protect sensitive data in this day and age. Two factor or better authentication is a necessity for ensuring that only authorized persons are logging into your systems.

Firewalls. Modern firewalls need to do more than just track a packet’s source and destination—especially when savvy hackers can spoof that info. Instead, deeper inspections of packet integrity, file types, and file content need to be made to maximize resilience against outside attack.

Data security is a grave concern for modern businesses.

The question is, “does your business have the tools to identify an attack attempt, trace it back to its source, and prevent sensitive data from being stolen?”